AlmaLinux OS 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
Overview
Finding ID | Version | Rule ID | IA Controls | Severity |
V-269260 | ALMA-09-020370 | SV-269260r1050142_rule | Medium |
Description |
If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges. |
STIG | Date |
CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide | 2025-05-22 |
Details
Check Text (C-73291r1048156_chk) |
Verify the SSH daemon performs compression after a user successfully authenticates with the following command: $ sshd -T | grep compression Compression no If the "Compression" keyword is set to "yes", this is a finding. |
Fix Text (F-73192r1048157_fix) |
Configure the SSH daemon to not allow compression. Add the following line to "/etc/ssh/sshd_config", or uncomment the line and set the value to "delayed" or preferably "no": Compression no Alternatively, add the setting to an include file if the line "Include /etc/ssh/sshd_config.d/*.conf" is found at the top of the "/etc/ssh/sshd_config" file: $ echo 'Compression no' > /etc/ssh/sshd_config.d/40-compression.conf Restart the SSH daemon for the settings to take effect: $ systemctl restart sshd.service |